Carousell

Carousel, also known as Carousell, operates as an online sales platform facilitating transactions between users. Headquartered in Singapore, the platform serves as a marketplace where individuals and potentially businesses can buy and sell goods. Its core function involves connecting buyers and sellers within the digital commerce space, primarily within the Singaporean market based on available incident reporting. Users interact through the platform to list items, browse offerings, and complete purchases.

The organisation experienced a significant cybersecurity incident on October 14, 2022. A breach compromised the personal contact details of nearly two million users, including phone numbers and email addresses. This exposure occurred due to a vulnerability introduced during a migration involving a third-party system. Unauthorised actors exploited this flaw to access approximately 2GB of data, which was subsequently offered for sale on a hacker forum. While sensitive payment details and national identity numbers were reportedly not compromised, other personal information provided by customers could have been accessed. Carousel addressed the underlying vulnerability following the breach and notified affected users about the heightened risk of phishing and vishing attacks stemming from the exposure of their contact information.